> High load may or may not be a problem depending on your traffic patterns.
> I've seen pf firewalls suffer by running out of state-table space in
> situations where there are a lot of fairly short-lived but low volume
> network connections. The default is 10,000 states. If your firewall machine
is this state-table a hash table or something similar. if so - making it
much bigger than CPU cache may actually slow down things because DRAM
access latency is huge on modern machines.
> On the whole I'd go with pf every time simply based on how much more
> manageable it is compared to ipfw -- you have to try, hard, to lock
> yourself out when reloading a new pf ruleset.
i already learned well locking myself after making mistake in ipfw rules
now i run screen and do something like that
cd /etc
cp firewall firewall.old
cp firewall firewall.new
<edit> firewall.new
cp firewall.new firewall;/etc/rc.d/ipfw restart;sleep 100;cp firewall.old firewall;/etc/rc.d/ipfw restart
then i have 100 seconds to quickly test new rules, at least to make sure
i'm not locked.